[c-nsp] much to much filtered packets punted to CPU on 7604
Brian Turnbow
b.turnbow at twt.it
Fri Oct 8 07:02:43 EDT 2010
> see both counters from "sh access-list" and "sh tcam interface.."
> increasing at nearly the same rate (see below).
>
> I use 2 extended ACLs applied to an interface for filtering
> inbound/outbound traffic. There is plenty of TCAM space, I
> don't use log
> statement, "no ip unreachables" is configured on each interface.....
> What I'm missing.
Below you have
mls rate-limit unicast ip icmp unreachable acl-drop 1000 10
So 1000 pps will pass, try
mls rate-limit unicast ip icmp unreachable acl-drop 0
To stop any packet dropped by acl getting to the cpu
> mls rate-limit unicast ip rpf-failure 0
> mls rate-limit unicast ip icmp redirect 0
> mls rate-limit unicast ip icmp unreachable no-route 1000 10
> mls rate-limit unicast ip icmp unreachable acl-drop 1000 10
> mls rate-limit unicast ip errors 1000 10
> mls rate-limit all ttl-failure 1000 10
> mls rate-limit all mtu-failure 1000 10
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list